How to run multiple sshd instances on raspberry pi

Why you may need this

There are different use cases, the most common would be to run two ssh servers with different configurations on different ports – one serving for local network and less restrictive (allow all users, password authentication, etc) and another one with more restrictions for accessing your PI from internet via port forwarding on your router.

How to build

In order to achieve the goal we will create a new systemd service, similar to standard ssh service but running as a different process and using different configuration file.

Make a copy of sshd_config

make a copy of sshd_config

Shell

1

2

$cd/etc/ssh

$sudo cpsshd_config sshd-outside_config

Use editor of your choice (I use Nano) and make desired changes to your new configuration file.

sshd_config

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

# Package generated configuration file

# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for

#--------

# OUR NEW INSTANCE OF SSHD SHOULD LISTEN ON PORT DIFFERENT THAN DEAULT (22)

Port NNNN

#--------

# Use these options to restrict which interfaces/protocols sshd will bind to

#ListenAddress ::

#ListenAddress 0.0.0.0

Protocol2

# HostKeys for protocol version 2

HostKey/etc/ssh/ssh_host_rsa_key

HostKey/etc/ssh/ssh_host_dsa_key

HostKey/etc/ssh/ssh_host_ecdsa_key

HostKey/etc/ssh/ssh_host_ed25519_key

#Privilege Separation is turned on for security

UsePrivilegeSeparation yes

#--------

#OUR NEW INSTANCE MUST(!!!) HAVE DIFFERENT PID FILE

PidFile/var/run/sshd-outside.pid

#--------

# Lifetime and size of ephemeral version 1 server key

KeyRegenerationInterval3600

ServerKeyBits1024

# Logging

SyslogFacility AUTH

LogLevel INFO

# Authentication:

#--------

# These settings will not allow to login as root,

# enable key based authentication</strong>

<strong>LoginGraceTime120

PermitRootLogin no

StrictModes yes

RSAAuthentication yes

PubkeyAuthentication yes

#--------

#AuthorizedKeysFile %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files

IgnoreRhosts yes

# For this to work you will also need host keys in /etc/ssh_known_hosts

RhostsRSAAuthentication no

# similar for protocol version 2

HostbasedAuthentication no

# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication

Install the service and reboot

Created symlink from/etc/systemd/system/sshd-outside.serviceto/lib/systemd/system/ssh-outside.service.

Created symlink from/etc/systemd/system/multi-user.target.wants/ssh-outside.serviceto/lib/systemd/system/ssh-outside.service.

$sudo reboot

Test

After reboot you should be able to connect both to the default port 22 (with password) and to the port NNNN specified in your config file (only with the keys properly set up). Check this article if you have troubles with configuring SSH keys.

Shell

1

$ssh user@raspberrypi-pNNNN

If you have trouble connecting to the alternative ssh port, connect using default port and troubleshoot. Start point for troubleshooting would be to check the status of your newly created service.

1

$sudo systemctl status ssh-outside.service

If everything works fine, you can now set up port forwarding on your router and access your Raspberry Pi from outside world in a way more secure manner.